cdk-factory 0.15.10__py3-none-any.whl → 0.18.9__py3-none-any.whl

cdk_factory/configurations/resources/rds.py

@@ -4,9 +4,16 @@ Maintainers: Eric Wilson
 MIT License. See Project Root for license information.
 """
 
-from typing import Any, Dict, List, Optional
+import re
+from typing import Any, Dict, List, Optional, Tuple, Literal
+from aws_lambda_powertools import Logger
 from cdk_factory.configurations.enhanced_base_config import EnhancedBaseConfig
 
+logger = Logger(service="RdsConfig")
+
+# Supported RDS engines
+Engine = Literal["mysql", "mariadb", "postgres", "aurora-mysql", "aurora-postgres", "sqlserver", "oracle"]
+
 
 class RdsConfig(EnhancedBaseConfig):
     """
@@ -23,6 +30,74 @@ class RdsConfig(EnhancedBaseConfig):
     def name(self) -> str:
         """RDS instance name"""
         return self.__config.get("name", "database")
+    
+    @property
+    def identifier(self) -> str:
+        """RDS DB instance identifier (sanitized)"""
+        raw_id = self.__config.get("identifier", self.name)
+        return self._sanitize_instance_identifier(raw_id)
+    
+    def _sanitize_instance_identifier(self, identifier: str) -> str:
+        """
+        Sanitize DB instance identifier to meet RDS requirements:
+        - 1-63 chars, lowercase letters/digits/hyphen
+        - Must start with letter, can't end with hyphen, no consecutive hyphens
+        """
+        if not identifier:
+            raise ValueError("Instance identifier cannot be empty")
+        
+        sanitized, notes = self._sanitize_instance_identifier_impl(identifier)
+        
+        if notes:
+            logger.info(f"Sanitized instance identifier from '{identifier}' to '{sanitized}': {', '.join(notes)}")
+        
+        return sanitized
+    
+    def _sanitize_instance_identifier_impl(self, identifier: str) -> Tuple[str, List[str]]:
+        """
+        DB instance identifier rules (all engines):
+        - 1-63 chars, lowercase letters/digits/hyphen
+        - Must start with letter
+        - Can't end with hyphen
+        - No consecutive hyphens (--)
+        """
+        notes: List[str] = []
+        s = identifier.lower()
+        
+        # Keep only lowercase letters, digits, hyphen
+        s_clean = re.sub(r"[^a-z0-9-]", "", s)
+        if s_clean != s:
+            notes.append("removed invalid characters (only a-z, 0-9, '-' allowed)")
+        s = s_clean
+        
+        if not s:
+            raise ValueError(f"Instance identifier '{identifier}' contains no valid characters")
+        
+        # Must start with letter
+        if not re.match(r"^[a-z]", s):
+            s = f"db{s}"
+            notes.append("prefixed with 'db' to start with a letter")
+        
+        # Collapse consecutive hyphens
+        s_collapsed = re.sub(r"-{2,}", "-", s)
+        if s_collapsed != s:
+            s = s_collapsed
+            notes.append("collapsed consecutive hyphens")
+        
+        # Can't end with hyphen
+        if s.endswith("-"):
+            s = s.rstrip("-")
+            notes.append("removed trailing hyphen")
+        
+        # Truncate to 63 characters
+        if len(s) > 63:
+            s = s[:63]
+            # Make sure we didn't truncate to a trailing hyphen
+            if s.endswith("-"):
+                s = s.rstrip("-")
+            notes.append("truncated to 63 characters")
+        
+        return s, notes
 
     @property
     def engine(self) -> str:
@@ -44,27 +119,48 @@ class RdsConfig(EnhancedBaseConfig):
 
     @property
     def database_name(self) -> str:
-        """Name of the database to create"""
-        return self.__config.get("database_name", "appdb")
+        """Name of the database to create (sanitized for RDS requirements)"""
+        raw_name = self.__config.get("database_name", "appdb")
+        return self._sanitize_database_name(raw_name)
 
     @property
     def username(self) -> str:
-        """Master username for the database"""
-        return self.__config.get("username", "appuser")
+        """Master username for the database (sanitized for RDS requirements)"""
+        raw_username = self.__config.get("username", "appuser") 
+        return self._sanitize_username(raw_username)
 
     @property
     def secret_name(self) -> str:
-        """Name of the secret to store credentials"""
-        env_name = self.__deployment.environment if self.__deployment else None
+        """Name of the secret to store credentials (includes workload to prevent collisions)"""
+        if "secret_name" in self.__config:
+            return self.__config["secret_name"]
+        
+        # Build a unique secret name using environment and workload
+        if not self.__deployment:
+            raise ValueError("No deployment context found for RDS secret name")
+        
+        env_name = self.__deployment.environment
+        workload_name = self.__deployment.workload_name
+        
         if not env_name:
-            raise ValueError("No environment found for RDS secret name.  Please add an environment to the deployment.")
-        return self.__config.get("secret_name", f"/{env_name}/db/creds")
+            raise ValueError("No environment found for RDS secret name. Please add an environment to the deployment.")
+        if not workload_name:
+            raise ValueError("No workload name found for RDS secret name. Please add a workload name to the deployment.")
+        
+        # Default pattern: /{environment}/{workload}/rds/credentials
+        return f"/{env_name}/{workload_name}/rds/credentials"
 
     @property
     def allocated_storage(self) -> int:
         """Allocated storage in GB"""
         # Ensure we return an integer
         return int(self.__config.get("allocated_storage", 20))
+    
+    @property
+    def max_allocated_storage(self) -> Optional[int]:
+        """Maximum storage for auto-scaling in GB (enables storage auto-scaling if set)"""
+        max_storage = self.__config.get("max_allocated_storage")
+        return int(max_storage) if max_storage is not None else None
 
     @property
     def storage_encrypted(self) -> bool:
@@ -90,6 +186,11 @@ class RdsConfig(EnhancedBaseConfig):
     def enable_performance_insights(self) -> bool:
         """Whether to enable Performance Insights"""
         return self.__config.get("enable_performance_insights", True)
+    
+    @property
+    def allow_major_version_upgrade(self) -> bool:
+        """Whether to allow major version upgrades"""
+        return self.__config.get("allow_major_version_upgrade", False)
 
     @property
     def subnet_group_name(self) -> str:
@@ -103,8 +204,37 @@ class RdsConfig(EnhancedBaseConfig):
 
     @property
     def cloudwatch_logs_exports(self) -> List[str]:
-        """Log types to export to CloudWatch"""
-        return self.__config.get("cloudwatch_logs_exports", ["postgresql"])
+        """
+        Log types to export to CloudWatch (engine-specific).
+        Returns configured log types or engine-specific defaults.
+        """
+        # If explicitly configured, use that
+        if "cloudwatch_logs_exports" in self.__config:
+            return self.__config["cloudwatch_logs_exports"]
+        
+        # Otherwise, return engine-specific defaults
+        engine = self.engine.lower()
+        
+        # MySQL / MariaDB
+        if engine in ("mysql", "mariadb", "aurora-mysql"):
+            return ["error", "general", "slowquery"]
+        
+        # PostgreSQL
+        elif engine in ("postgres", "postgresql", "aurora-postgres", "aurora-postgresql"):
+            return ["postgresql"]
+        
+        # SQL Server
+        elif engine in ("sqlserver", "sqlserver-ee", "sqlserver-se", "sqlserver-ex", "sqlserver-web"):
+            return ["error", "agent"]
+        
+        # Oracle
+        elif engine in ("oracle", "oracle-ee", "oracle-se2", "oracle-se1"):
+            return ["alert", "audit", "trace"]
+        
+        # Default to empty list for unknown engines (safer than guessing)
+        else:
+            logger.warning(f"Unknown engine '{engine}', disabling CloudWatch logs exports by default")
+            return []
 
     @property
     def removal_policy(self) -> str:
@@ -131,18 +261,174 @@ class RdsConfig(EnhancedBaseConfig):
         """Sets the VPC ID for the Security Group"""
         self.__config["vpc_id"] = value
 
+    @property
+    def ssm(self) -> Dict[str, Any]:
+        """SSM configuration"""
+        return self.__config.get("ssm", {})
+
     @property
     def ssm_imports(self) -> Dict[str, str]:
         """SSM parameter imports for the RDS instance"""
-        # Check both nested and flat structures for backwards compatibility
-        if "ssm" in self.__config and "imports" in self.__config["ssm"]:
-            return self.__config["ssm"]["imports"]
-        return self.__config.get("ssm_imports", {})
+        return self.ssm.get("imports", {})
 
     @property
     def ssm_exports(self) -> Dict[str, str]:
         """SSM parameter exports for the RDS instance"""
-        # Check both nested and flat structures for backwards compatibility
-        if "ssm" in self.__config and "exports" in self.__config["ssm"]:
-            return self.__config["ssm"]["exports"]
-        return self.__config.get("ssm_exports", {})
+        return self.ssm.get("exports", {})
+    
+    def _sanitize_database_name(self, name: str) -> str:
+        """
+        Sanitize database name to meet RDS requirements (engine-specific).
+        Implements rules from RDS documentation for each engine type.
+        
+        Args:
+            name: Raw database name from config
+            
+        Returns:
+            Sanitized database name
+            
+        Raises:
+            ValueError: If name cannot be sanitized to meet requirements
+        """
+        if not name:
+            raise ValueError("Database name cannot be empty")
+        
+        engine = self.engine.lower()
+        sanitized, notes = self._sanitize_db_name_impl(engine, name)
+        
+        if notes:
+            logger.info(f"Sanitized database name from '{name}' to '{sanitized}': {', '.join(notes)}")
+        
+        return sanitized
+    
+    def _sanitize_db_name_impl(self, engine: str, name: str) -> Tuple[str, List[str]]:
+        """
+        Engine-specific database name sanitization.
+        Based on AWS RDS naming requirements:
+        - MySQL/MariaDB: 1-64 chars, start with letter, letters/digits/underscore
+        - PostgreSQL: 1-63 chars, start with letter, letters/digits/underscore
+        - SQL Server: 1-128 chars, start with letter, letters/digits/underscore
+        - Oracle: 1-8 chars (SID), alphanumeric only, start with letter
+        """
+        notes: List[str] = []
+        
+        # Determine engine-specific limits
+        if engine in ("mysql", "mariadb", "aurora-mysql"):
+            allowed_chars = r"A-Za-z0-9_"
+            max_len = 64
+        elif engine in ("postgres", "postgresql", "aurora-postgres", "aurora-postgresql"):
+            allowed_chars = r"A-Za-z0-9_"
+            max_len = 63
+        elif engine in ("sqlserver", "sqlserver-ee", "sqlserver-se", "sqlserver-ex", "sqlserver-web"):
+            allowed_chars = r"A-Za-z0-9_"
+            max_len = 128
+        elif engine in ("oracle", "oracle-ee", "oracle-se2", "oracle-se1"):
+            allowed_chars = r"A-Za-z0-9"  # No underscore for Oracle SID
+            max_len = 8
+        else:
+            # Default to conservative rules
+            allowed_chars = r"A-Za-z0-9_"
+            max_len = 64
+            notes.append(f"unknown engine '{engine}', using default MySQL rules")
+        
+        # Replace hyphens with underscores (except Oracle which doesn't allow underscores)
+        s = name
+        if "oracle" not in engine:
+            s = s.replace("-", "_")
+            if "_" in name and "-" in name:
+                notes.append("replaced hyphens with underscores")
+        
+        # Strip disallowed characters
+        s_clean = re.sub(f"[^{allowed_chars}]", "", s)
+        if s_clean != s:
+            notes.append("removed invalid characters")
+        s = s_clean
+        
+        if not s:
+            raise ValueError(f"Database name '{name}' contains no valid characters after sanitization")
+        
+        # Must start with a letter
+        if not re.match(r"^[A-Za-z]", s):
+            s = f"db{s}"
+            notes.append("prefixed with 'db' to start with a letter")
+        
+        # Truncate to max length
+        if len(s) > max_len:
+            s = s[:max_len]
+            notes.append(f"truncated to {max_len} characters")
+        
+        # SQL Server: can't start with 'rdsadmin'
+        if "sqlserver" in engine and s.lower().startswith("rdsadmin"):
+            s = f"db_{s}"
+            notes.append("prefixed to avoid 'rdsadmin' (SQL Server restriction)")
+        
+        return s, notes
+    
+    def _sanitize_username(self, username: str) -> str:
+        """
+        Sanitize master username to meet RDS requirements:
+        - Must begin with a letter (a-z, A-Z)
+        - Can contain alphanumeric characters and underscores
+        - Max 16 characters (AWS RDS master username limit)
+        - Cannot be a reserved word
+        
+        Args:
+            username: Raw username from config
+            
+        Returns:
+            Sanitized username
+            
+        Raises:
+            ValueError: If username is invalid
+        """
+        if not username:
+            raise ValueError("Username cannot be empty")
+        
+        sanitized, notes = self._sanitize_master_username_impl(username)
+        
+        if notes:
+            logger.info(f"Sanitized username from '{username}' to '{sanitized}': {', '.join(notes)}")
+        
+        return sanitized
+    
+    def _sanitize_master_username_impl(self, username: str) -> Tuple[str, List[str]]:
+        """
+        Sanitize master username according to AWS RDS rules:
+        - 1-16 characters
+        - Start with a letter
+        - Letters, digits, underscore only
+        - Not a reserved word
+        """
+        notes: List[str] = []
+        s = username
+        
+        # Replace hyphens with underscores, remove other invalid chars
+        s = s.replace("-", "_")
+        s_clean = re.sub(r"[^A-Za-z0-9_]", "", s)
+        if s_clean != s:
+            notes.append("removed invalid characters")
+        s = s_clean
+        
+        if not s:
+            raise ValueError(f"Username '{username}' contains no valid characters after sanitization")
+        
+        # Must start with a letter
+        if not re.match(r"^[A-Za-z]", s):
+            s = f"user{s}"
+            notes.append("prefixed with 'user' to start with a letter")
+        
+        # Truncate to 16 characters
+        if len(s) > 16:
+            s = s[:16]
+            notes.append("truncated to 16 characters")
+        
+        # Check against common reserved words
+        reserved = {"postgres", "mysql", "root", "admin", "rdsadmin", "system", "sa", "user"}
+        if s.lower() in reserved:
+            s = f"{s}_usr"
+            # Re-truncate if needed after adding suffix
+            if len(s) > 16:
+                s = s[:16]
+            notes.append("appended '_usr' to avoid reserved username")
+        
+        return s, notes

cdk_factory/configurations/resources/rum.py

@@ -125,11 +125,16 @@ class RumConfig(EnhancedBaseConfig):
 
     # SSM Integration
     @property
+    def ssm(self) -> Dict[str, Any]:
+        """SSM configuration for importing/exporting resources"""
+        return self.__config.get("ssm", {})
+
+    @property 
     def ssm_exports(self) -> Dict[str, str]:
         """SSM parameter paths for exporting RUM resources"""
-        return self.__config.get("ssm_exports", {})
+        return self.ssm.get("exports", {})
 
     @property
     def ssm_imports(self) -> Dict[str, str]:
         """SSM parameter paths for importing external resources"""
-        return self.__config.get("ssm_imports", {})
+        return self.ssm.get("imports", {})

cdk_factory/configurations/resources/s3.py

@@ -30,7 +30,7 @@ class S3BucketConfig(EnhancedBaseConfig):
                 "S3 Bucket Configuration must be a dictionary. Found: "
                 f"{type(self.__config)}"
             )
-        if len(self.__config.keys()) == 0:
+        if not self.__config.keys():
             raise ValueError("S3 Bucket Configuration cannot be empty")
 
     @property

cdk_factory/configurations/resources/security_group_full_stack.py

@@ -62,21 +62,20 @@ class SecurityGroupFullStackConfig:
         """Tags to apply to the Security Group"""
         return self.__config.get("tags", {})
 
+    @property
+    def ssm(self) -> Dict[str, Any]:
+        """SSM configuration"""
+        return self.__config.get("ssm", {})
+
     @property
     def ssm_imports(self) -> Dict[str, str]:
         """SSM parameter imports for the Security Group"""
-        # Check both nested and flat structures for backwards compatibility
-        if "ssm" in self.__config and "imports" in self.__config["ssm"]:
-            return self.__config["ssm"]["imports"]
-        return self.__config.get("ssm_imports", {})
+        return self.ssm.get("imports", {})
 
     @property
     def ssm_exports(self) -> Dict[str, str]:
         """SSM parameter exports for the Security Group"""
-        # Check both nested and flat structures for backwards compatibility
-        if "ssm" in self.__config and "exports" in self.__config["ssm"]:
-            return self.__config["ssm"]["exports"]
-        return self.__config.get("ssm_exports", {})
+        return self.ssm.get("exports", {})
 
     @property
     def security_groups(self) -> List[Dict[str, Any]]:

cdk_factory/configurations/resources/vpc.py

@@ -122,3 +122,22 @@ class VpcConfig(EnhancedBaseConfig):
     def isolated_subnet_name(self) -> str:
         """Custom name for isolated subnets"""
         return self.get("isolated_subnet_name", "isolated")
+
+    @property
+    def subnets(self) -> Dict[str, Any]:
+        """Subnet configuration for the VPC"""
+        return self.get("subnets", {
+            "public": {
+                "enabled": self.public_subnets,
+                "cidr_mask": self.public_subnet_mask,
+                "map_public_ip": True
+            },
+            "private": {
+                "enabled": self.private_subnets,
+                "cidr_mask": self.private_subnet_mask
+            },
+            "isolated": {
+                "enabled": self.isolated_subnets,
+                "cidr_mask": self.isolated_subnet_mask
+            }
+        })

cdk_factory/configurations/workload.py

@@ -5,6 +5,7 @@ MIT License.  See Project Root for the license information.
 """
 
 import os
+import copy
 from typing import Any, Dict, List
 
 from aws_lambda_powertools import Logger
@@ -66,13 +67,42 @@ class WorkloadConfig:
         if self.__app_config is None:
             raise ValueError("Configuration is not defined.")
 
+        # Create a deep copy to avoid mutating the original configuration
         if "workload" in self.__app_config:
-            workload = self.__app_config["workload"]
+            workload = copy.deepcopy(self.__app_config["workload"])
         else:
-            workload = self.__app_config
+            workload = copy.deepcopy(self.__app_config)
 
         self.__workload = workload
 
+        # Handle missing devops section gracefully
+        if "devops" not in workload:
+            logger.warning("Devops configuration not found in workload, using defaults")
+            
+            # Get environment variables for defaults
+            devops_account = os.environ.get("DEVOPS_AWS_ACCOUNT")
+            devops_region = os.environ.get("DEVOPS_REGION")
+            
+            # Validate required environment variables
+            if not devops_account or not devops_region:
+                raise ValueError(
+                    "DEVOPS_AWS_ACCOUNT and DEVOPS_REGION environment variables must be set when devops config is missing"
+                )
+            
+            # Use a separate defaults object instead of mutating the original
+            devops_defaults = {
+                "account": devops_account,
+                "region": devops_region,
+                "code_repository": {
+                    "name": os.environ.get("CODE_REPOSITORY_NAME", "default-repo"),
+                    "type": "connector_arn",
+                    "connector_arn": os.environ.get("CODE_REPOSITORY_ARN", f"arn:aws:codeconnections:{os.environ.get('DEVOPS_REGION', 'us-east-1')}:{os.environ.get('DEVOPS_AWS_ACCOUNT')}:connection/default")
+                },
+                "commands": []
+            }
+            
+            workload["devops"] = devops_defaults
+
         self.__devops = DevOps(workload["devops"])
         self.__management = Management(workload.get("management", {}))
         self.__cloudfront = CloudFrontConfig(workload.get("cloudfront", {}))

cdk_factory/constructs/ecr/ecr_construct.py

@@ -14,12 +14,12 @@ from constructs import Construct, IConstruct
 from cdk_factory.configurations.resources.resource_types import ResourceTypes
 from cdk_factory.configurations.resources.ecr import ECRConfig as ECR
 from cdk_factory.configurations.deployment import DeploymentConfig as Deployment
-from cdk_factory.interfaces.ssm_parameter_mixin import SsmParameterMixin
+from cdk_factory.interfaces.standardized_ssm_mixin import StandardizedSsmMixin
 
 logger = Logger(__name__)
 
 
-class ECRConstruct(Construct, SsmParameterMixin):
+class ECRConstruct(Construct, StandardizedSsmMixin):
     def __init__(
         self,
         scope: Construct,
@@ -30,6 +30,8 @@ class ECRConstruct(Construct, SsmParameterMixin):
         **kwargs,
     ) -> None:
         super().__init__(scope, id, **kwargs)
+        # Initialize StandardizedSsmMixin explicitly
+        StandardizedSsmMixin.__init__(self, **kwargs)
 
         self.scope = scope
         self.deployment = deployment
@@ -77,6 +79,11 @@ class ECRConstruct(Construct, SsmParameterMixin):
 
         This method uses the new configurable SSM parameter prefix system.
         """
+        # Check if SSM exports are configured
+        if not hasattr(self.repo, 'ssm_exports') or not self.repo.ssm_exports:
+            logger.debug("No SSM exports configured for ECR repository")
+            return
+        
         # Create a dictionary of resource values to export
         resource_values = {
             "name": self.ecr.repository_name,

cdk_factory/constructs/lambdas/policies/policy_docs.py

@@ -35,18 +35,18 @@ class ResourceResolver:
         """Get or create enhanced SSM parameter mixin"""
         if self._ssm_mixin is None:
             try:
-                from cdk_factory.interfaces.enhanced_ssm_parameter_mixin import (
-                    EnhancedSsmParameterMixin,
+                from cdk_factory.interfaces.standardized_ssm_mixin import (
+                    StandardizedSsmMixin,
                 )
 
-                self._ssm_mixin = EnhancedSsmParameterMixin()
+                self._ssm_mixin = StandardizedSsmMixin()
 
                 # Setup enhanced SSM integration if lambda config has SSM settings
                 lambda_dict = getattr(self.lambda_config, "dictionary", {})
                 ssm_config = lambda_dict.get("ssm", {})
 
                 if ssm_config.get("enabled", False):
-                    self._ssm_mixin.setup_enhanced_ssm_integration(
+                    self._ssm_mixin.setup_ssm_integration(
                         scope=self.scope,
                         config=lambda_dict,
                         resource_type="lambda",

cdk_factory/interfaces/istack.py

@@ -8,14 +8,14 @@ from abc import ABCMeta, abstractmethod
 import jsii
 from constructs import Construct
 from aws_cdk import Stack
-from cdk_factory.interfaces.ssm_parameter_mixin import SsmParameterMixin
+from cdk_factory.interfaces.standardized_ssm_mixin import StandardizedSsmMixin
 
 
 class StackABCMeta(jsii.JSIIMeta, ABCMeta):
     """StackABCMeta"""
 
 
-class IStack(Stack, SsmParameterMixin, metaclass=StackABCMeta):
+class IStack(Stack, StandardizedSsmMixin, metaclass=StackABCMeta):
     """
     IStack for Dynamically loaded Factory Stacks
     Only imports from constructs and abc to avoid circular dependencies.
@@ -23,7 +23,10 @@ class IStack(Stack, SsmParameterMixin, metaclass=StackABCMeta):
 
     @abstractmethod
     def __init__(self, scope: Construct, id: str, **kwargs) -> None:
-        super().__init__(scope, id, **kwargs)
+        # Initialize Stack first
+        Stack.__init__(self, scope, id, **kwargs)
+        # Initialize StandardizedSsmMixin (no super() call to avoid MRO issues)
+        StandardizedSsmMixin.__init__(self, **kwargs)
 
     @abstractmethod
     def build(self, *, stack_config, deployment, workload) -> None: